Why securing your APIs is essential in the connected computing era

Do you rely on an app or several to run your organisation? You’re far from alone. Cloud computing and the digital revolution are continuing to up-end the way Australian businesses do business. In enterprises of all stripes and sizes, paper-based and standalone systems are rapidly being replaced by a tapestry of interconnected applications.

Application programming interfaces (APIs) are the access points which enable these systems to communicate and exchange data with one another in a seamless fashion.

Ensuring APIs cannot be accessed by hackers and cyber-criminals should be top priority for organisations which want to reap a productivity dividend, without becoming a cyber-security statistic in the process.

Connectivity equals productivity

‘There’s an app for that’ became a popular catchphrase in the 2010s, as developers around the globe raced to develop mobile applications to assist individuals and businesses perform an almost infinite array of tasks and functions.

Research from cloud accounting software giant Xero suggests there are compelling commercial reasons for companies to embrace interconnected apps – and the more of them, the better. Published in 2018, the vendor’s How digital connectivity is helping Australian small businesses thrive report found a correlation between integrated app usage and better business outcomes for SMEs.

Firms that connected third party apps with their Xero financial software enjoyed higher revenue growth in the 2018 financial year than firms with no connected apps: 5.5 per cent compared with 3.6 per cent, according to the report.

App-happy businesses have no shortage of options to choose from. Xero’s own app ‘ecosystem’ comprises more than 600 specialised solutions, all designed to assist with the multitude of tasks associated with running a business.

Developed by third party vendors, they cover a gamut of industries and every aspect of business management, including rostering, time tracking, payroll, human resources and expense and travel management.

An overlooked attack surface?

Organisations have, by necessity, become well versed in the practices necessary to secure web applications but understanding and mitigating the risks posed by APIs themselves, rather less so.

Incorporating API protection into your security strategy can help ensure the connectivity APIs provide is a strength, rather than a threat to the integrity of your business.

Track your APIs

It’s impossible to secure what you don’t realise you’re running. In many organisations, connected computing has been implemented piecemeal fashion, rather than by way of an orchestrated strategy. That means security professionals aren’t necessarily aware of all the APIs that are in use. Discovering and cataloguing them is the first step towards ensuring they are not used as a gateway to attack the enterprise.

Know how your APIs are used

Monitoring APIs is the key to understanding how they’re typically used – and when they might be being misused. Need-to-know information includes who is accessing your APIs, how often and when. The object is to build up a picture of what’s normal and what’s not, for each and every API in use. Armed with this data, it’s possible to identify suspicious behaviour and block it before a breach occurs.

Does it matter whether APIs are public or developed for internal or partner purposes only? Not really. Both types have the potential to become attack vectors and should be subject to the same security measures.

Research suggests there’s a greater degree of slackness around internally developed APIs. According to a recent study, more than a quarter make it through development stage without security oversight. Closer collaboration between programmers and security specialists during development is the key to ensuring new APIs don’t slip under the radar and into use unsecured.

Tools to help you keep track

Technology is your friend when it comes to preventing, detecting and disarming API attacks. Monitoring tools which harness the power of artificial intelligence make it easier to stay a step ahead of hackers and cyber criminals intent on finding and exploiting poorly secured paths into the enterprise.

Time to act

We’re in the era of ultra-connectivity and Australian businesses which aren’t implementing their own collection of best-of-breed apps are likely to find themselves at a disadvantage to those that are.

Ensuring the APIs which enable your array of solutions to work together effectively don’t become an Achilles heel makes sense for enterprises which want to enjoy an efficiency dividend without compromising the security of core systems and data.